US20160308891A1 - Intrusion detection mechanism - Google Patents

Intrusion detection mechanism Download PDF

Info

Publication number
US20160308891A1
US20160308891A1 US15/168,057 US201615168057A US2016308891A1 US 20160308891 A1 US20160308891 A1 US 20160308891A1 US 201615168057 A US201615168057 A US 201615168057A US 2016308891 A1 US2016308891 A1 US 2016308891A1
Authority
US
United States
Prior art keywords
message
time
node
delta time
network bus
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US15/168,057
Inventor
Harel Cain
Yaron Sella
Michal Devir
David Wende
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cisco Technology Inc
Original Assignee
Cisco Technology Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cisco Technology Inc filed Critical Cisco Technology Inc
Priority to US15/168,057 priority Critical patent/US20160308891A1/en
Publication of US20160308891A1 publication Critical patent/US20160308891A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4604LAN interconnection over a backbone network, e.g. Internet, Frame Relay
    • H04L12/462LAN interconnection over a bridge based backbone
    • H04L12/4625Single bridge functionality, e.g. connection of two networks over a single bridge
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40215Controller Area Network CAN

Definitions

  • the present disclosure generally relates to methods and apparatus to detect attacks on electronic control units of a vehicle.
  • ECUs Electronic Control Units
  • Modern vehicles typically have a multiplicity of embedded systems called Electronic Control Units (ECUs) configured to control one or more of their component electrical systems or sub-systems.
  • ECUs may be used to control a vehicle's engine, transmission, brakes, suspension, etc.
  • a vehicle may therefore be typically configured with dozens of such ECUs to control its operation.
  • ECUs may typically communicate between themselves using wired buses.
  • an attack on an ECU may be achieved using any of its data connections (physical or wireless) and may consist of executing malicious code to gain control of the ECU.
  • the compromised ECU may then be used as an entry point for the attack or further attacks such as, for example, sending malicious or illicit messages to other (sensitive) ECUs.
  • FIG. 1A is a simplified pictorial illustration of an exemplary vehicle with an intrusion detection component, constructed and operative in accordance with an embodiment of the present invention
  • FIG. 1B is a simplified pictorial illustration of an exemplary message transmitted over the communication network, constructed and operative in accordance with an embodiment of the present invention.
  • FIGS. 2 and 3 are simplified flow chart diagrams of alternative methods for alerting a processor of an anomaly detection in accordance with embodiments of the present invention.
  • a method implemented on a node connected to a network bus includes: storing one or more message identifiers, the one or more identifiers comprising at least one message identifier identifying the node, the at least one message identifier being included in a message at a time when the message is sent by the node onto the network bus; monitoring network bus traffic, the network bus traffic comprising messages transmitted by the node and by other nodes connected to the network bus; and alerting a processor of the node if a message transmitted on the network bus by at least one of the other nodes is identified as having a message identifier corresponding to the at least one message identifier.
  • FIG. 1A shows an exemplary vehicle with an intrusion detection component constructed and operative in accordance with an embodiment of the present invention.
  • a vehicle 100 is shown in FIG. 1A and typically comprises at least one vehicle's communication bus 110 which is an internal communication network that interconnects a plurality of nodes 120 (hereinafter referred as Electronic Control Units (ECUs) 120 ) inside the vehicle.
  • ECUs Electronic Control Units
  • Examples of vehicle's communication buses typically include any type of Vehicle Area network such as, but not limited to, CAN (Controller Area Network) defined in ISO 11898-1:2003 and also described in greater detail in www.ti.com/lit/an/sloa101a/sloa101a.pdf, LIN (Local Interconnect Network) described in further detail in en.wikipedia.org/wiki/Local_Interconnect_Network. FlexRay described in further detail in en.wikipedia.org/wiki/FlexRay, etc.
  • the communication bus 110 will be referred as the CAN bus 110 .
  • ECUs 120 are coupled to the CAN bus 110 .
  • These ECUs 120 are typically Electronic Control Units (ECUs) configured to control one or more of their associated electrical systems or sub-systems.
  • ECUs typically include, but are not limited to including: engine control module (ECM); powertrain control module (PCM); transmission control module (TCM); central control module (CCM); anti-lock braking system module (ABSM); central timing module (CTM); general electronic module (GEM); body control module (BCM); suspension control module (SCM); etc.
  • ECM engine control module
  • PCM powertrain control module
  • TCM transmission control module
  • CCM central control module
  • ABSM anti-lock braking system module
  • CTM central timing module
  • GEM general electronic module
  • BCM body control module
  • SCM suspension control module
  • Each ECU 120 typically comprises at least: a network interface 121 ; a CAN controller 122 ; and a host processor 123 .
  • the host processor 123 is typically a CPU (central processing unit) or microprocessor operable to interpret the messages received from other components or sub-components of the vehicle (e.g. from other ECUs 120 ), and also to decide which messages to send out/transmit.
  • the host processor 123 may be connected to actuators, sensors, switches, or any other appliances that the ECU 120 is configured to control.
  • the CAN controller 122 which may sometimes be integrated with the host processor 123 , is generally operable to receive messages from the CAN bus 110 via the network interface 121 and pass the messages received from the host processor 123 to the network interface 121 for further distribution via the CAN bus 110 .
  • the CAN controller 122 typically comprises a memory 124 for storing bits serially received from the CAN bus 110 until an entire message is available. Once stored in memory 124 , the message may be fetched by the host processor 123 for further processing.
  • the memory 124 is also configured to storing a message received from the host processor 123 that are to be transmitted to other (sub-) components of the vehicle 100 .
  • the CAN controller 122 typically transmits the message bits serially onto the CAN bus 110 .
  • the ECU 120 also comprises a network interface 121 which is typically a CAN transceiver such as, but not limited to, a CAN transceiver defined by ISO 11898-2/3 Medium Access Unit standards.
  • the role of the network interface 121 may be to drive and to detect data to and from CAN bus 110 .
  • Network interface 121 converts the single-ended logic used by the CAN controller 122 to a differential signal transmitted over the CAN bus 110 .
  • Network interface 121 also determines a bus logic state from the differential signal or voltage, rejects common-mode noise, and outputs a single-ended logic signal to the CAN controller 122 .
  • Each ECU 120 is operable to communicate with other ECUs 120 as necessary via the CAN bus 110 . Some of the ECUs 120 form independent subsystems while others require exchanging data with other ECUs 120 . Indeed, during normal operation of vehicle 100 , an ECU 120 may need to control actuators or receive feedback from one or more sensors through the CAN bus 110 . Communication between ECUs 120 is performed over the CAN bus 110 using any suitable protocol and messaging system, as will be appreciated by those skilled in the art.
  • Each message sent and/or transmitted over the CAN bus 110 typically has a pre-defined format comprising at least an identifier (ID) field and a data section (as shown in FIG. 1B ), both of them including data produced by one sending ECU 120 .
  • the data section corresponds to the current information that needs to be exchanged between a sending ECU (e.g. a first ECU 120 ) and a receiving ECU (e.g. a second ECU 120 ).
  • the ID field includes a message ID which may be eleven or twenty-nine bits long in CAN networks.
  • the message ID typically indicates the priority of the message and is typically associated with a unique ECU 120 .
  • the message ID may therefore be used as an ID for identifying a particular ECU 120 . In other words, the same message ID cannot be used by two different ECUs 120 on the same CAN bus.
  • a CAN controller 122 of a particular ECU 120 is typically operable to read every message (i.e. every single bit) that passes on the CAN bus 110 .
  • the CAN controller 122 typically determines whether or not a particular message has to be processed based on the message ID. For example, when the CAN controller 122 receives a message, the message ID of the message may be used to determine whether or not the message is relevant and/or interesting for the particular ECU 120 . In such a situation, the CAN controller 122 alerts the host processor 123 that a message has arrived. The message is then copied in a memory (not shown in FIG. 1A ) of the host processor 123 space and processed.
  • an attack may consist of impersonating a particular ECU 120 for sending false messages to another ECU 120 .
  • Another similar example may consist of sending these false messages at a higher rate than normal messages thereby saturating the CAN bus 110 and preventing the normal messages from being received by some ECUs 120 . In both cases, such attacks may either alter the proper functioning of the vehicle 100 or have a harmful effect on the passengers and/or the vehicle 100 .
  • the CAN controller 122 further comprises an intrusion detection component 125 which is able to detect such attacks.
  • the intrusion detection component 125 is operable to monitor the CAN bus 110 to detect anomalies appearing in different messages forming the CAN bus traffic.
  • An IDC 125 may be incorporated into each CAN controller 122 of each ECU 120 , thereby enabling each ECU 120 to individually analyze the messages on the CAN bus 110 and detect anomalies in a cheap and efficient manner at a hardware and/or firmware level.
  • the CAN controller 122 alerts the host processor 123 which then take remedial or protective actions.
  • an interrupt signal may be generated by the IDC 125 and sent to the host processor 123 if the latter is able to handle such interrupts.
  • different actions may be taken depending on the ECU 120 that has detected the anomaly. For example, a visual indication may be displayed on the vehicle's front panel thereby alerting the driver that something is going wrong. Another example may be to record the detected anomaly and store it in a non-volatile memory so that a mechanic may be notified at the time when the vehicle is being repaired or checked.
  • further non-limiting example available for connected vehicles may be to send an alert to a cal center or a central server external to the vehicle 100 in order to receive assistance regarding the issue in a (near) real-time fashion or even at a later time after further analysis of the alert(s) by the central/call center.
  • FIG. 2 is a simplified flow chart diagram illustrating a method for alerting a processor of an ECU of an anomaly detection in accordance with an embodiment.
  • the IDC 125 is configured to detect anomalies associated with messages sent by an ECU 120 using the message IDs.
  • the IDC 125 stores the message IDs used by the host processor 123 of the ECU 120 for sending messages to other ECUs 120 via the CAN bus 110 .
  • the message IDs may be stored in any suitable manner in a memory (not shown in FIG. 1A ) of the IDC 125 or the CAN controller 122 .
  • the message IDs may be either provided to the IDC 125 directly by the host processor 123 of the ECU 120 or dynamically extracted by the IDC 125 at the time when messages are sent by the ECU 120 .
  • the host processor 123 of the ECU 120 typically prepares and transmits the message to its CAN controller 122 .
  • the message is received by the CAN controller 122 which stores it in its memory 124 prior to transmitting the bits serially onto the CAN bus 110 via the network interface 121 .
  • the IDC 125 is configured to extract the message ID from the message, and to record the message ID.
  • the IDC 125 is further configured to monitor the CAN bus traffic (step 210 ) and identify messages transiting onto the CAN bus 110 which have a message ID matching one of the recorded message IDs (step 220 ) and which were sent by other ECUs 120 .
  • this is an anomaly indicating that the CAN network of the vehicle 100 is being attacked. This typically means that false messages impersonating a particular ECU 120 are present onto the CAN bus 110 .
  • the IDC 125 detects this anomaly (step 230 ) and alerts and/or sends an interrupt signal to the host processor 123 at step 240 .
  • FIG. 3 is a simplified flow chart diagram illustrating an alternate method for alerting a processor of an ECU of an anomaly detection in accordance with an embodiment.
  • the intrusion detection component 125 is configured to detect anomalies associated with messages sent by an ECU 120 using the message IDs and an expected delta time at which such messages are sent.
  • a message corresponding to the number of rounds per minute (RPM) of the vehicle's engine is sent at very regular intervals (e.g. every ten milliseconds) and is to be sent by the ECM and received by the TCM.
  • RPM rounds per minute
  • the IDC 125 of an ECU 120 is operable to store one or more message IDs along with their expected delta times at which subsequent messages carrying the same type of information (i.e. having a same message ID) are expected to be observed on the CAN bus 110 .
  • the message IDs and the expected delta times may be stored in any suitable manner in a memory (not shown in FIG. 1A ) of the IDC 125 or the CAN controller 122 .
  • the message IDs and the expected delta times may be either provided directly to the IDC 125 by the host processor 123 or dynamically extracted/calculated by the IDC 125 at the time when messages are sent or read by the ECU 120 .
  • the ECU 120 may also be operative to implement the method for messages that simply transit onto the CAN bus 110 i.e. messages that need not to be processed by the ECU 120 . In the latter case, the message IDs and the expected delta times may be provided to the IDC 125 by the host processor 123 or from an external source.
  • the IDC 125 of the ECU 120 is further operable to monitor the CAN bus traffic (step 310 ) for identifying messages having message IDs matching one of the recorded message IDs (step 320 ). Once such a message IDs identified at step 320 , the IDC 125 is operable to determine a delta time at which the message is observed on the CAN bus 110 (step 330 ). To do so, the IDC 125 retrieves a present time, typically corresponding to the time at which the message was observed, and determines a present delta time. The present delta time corresponds to the time difference between the arrival of the present message and the arrival of the last message having a same specific message ID. Then, the present delta time is compared to the expected delta time stored in the memory.
  • the IDC 125 is therefore able to detect an anomaly if the present delta time does not match the expected delta time. In such a situation, this is an anomaly that may be indicating that the CAN network of the vehicle 100 is being attacked. This typically means that false messages are sent in order to saturate the CAN bus 110 or that counterfeit messages are being sent out onto the CAN bus 110 . As a result, the IDC 125 alerts and/or sends an interrupt signal to the host processor 123 (step 350 ).
  • the IDC 125 typically includes a counter which is incremented at fixed intervals (e.g. every millisecond). During normal operation, the following information is stored in the memory and available to the IDC 125 for each message ID relevant to the ECU 120 :
  • the message ID is extracted and the IDC 125 uses the present value of the counter C c to compute the present delta time ⁇ t c (i.e. time interval at which two consecutive message with the same message ID are observed on the CAN bus 110 ) as follows:
  • the present computed delta time ( ⁇ t c ) is then compared to the reference delta time ( ⁇ t ref ).
  • the reference delta time ( ⁇ t ref ) is typically provided as a range and the present computed delta time ( ⁇ t c ) is compared to the upper and lower boundaries. These upper and lower boundaries typically correspond to maximum and minimum delta times or time intervals at which two consecutive messages having a same message ID can be observed onto the CAN bus 110 in normal operation. If the present computed delta time ( ⁇ t c ) is more than the maximum reference delta time and/or is less than the minimum reference delta time, then an alarm signal is generated and sent to the host processor 123 . Subsequently, whether or not an alarm signal has been generated, the C p value is updated i.e.
  • the maximum and minimum reference delta times may not be available or known thereby preventing the host processor 123 for providing them to the IDC 125 .
  • default values may be used by the IDC 125 such as for example zero for the minimum reference delta time and positive infinity for the maximum reference delta time.
  • a previous computed delta time ( ⁇ t p ) is stored in memory and is available to the IDC 125 for each message ID relevant to the ECU 120 .
  • the previous computed delta time ( ⁇ t p ) may correspond, for example, but not limited to, to the time difference between the time at which the second last message was observed and the time at which the last message was observed.
  • the present computed delta time ( ⁇ t c ) is then compared the previous computed delta time ( ⁇ t p ) which is therefore used as the expected delta time or as an additional expected delta time if the present computed delta time ( ⁇ t c ) was first compared to the reference delta time ( ⁇ t ref ).
  • the present computed delta time ( ⁇ t c ) is different from the previous computed delta time ( ⁇ t p ) or if a difference (in absolute value) between the present computed delta time ( ⁇ t c ) and the previous computed delta time ( ⁇ t p ) exceeds a predefined and configurable threshold, an alarm signal is generated and sent to the host processor 123 . Subsequently, the C p value is updated i.e. set to the current value C c and stored in memory. Also, the present computed delta time ( ⁇ t c ) is stored in memory in place of the previous computed delta time ( ⁇ t p ).
  • a plurality of counters may be provided typically one counter per type of messages (message ID) that the IDC 125 is instructed to monitor.
  • the present delta time is determined directly by using the counter present value.
  • the counter present value used for the delta time determination is then reset to zero. The other method steps remain unchanged.
  • the alarm signal may be a direct and/or an interrupt signal generated and sent by the IDC 125 to the host processor 123 . Additional information may further be associated with the direct and/or interrupt signals during the generating step to indicate to the host processor 123 that a type of detected anomaly or merely that an anomaly has been detected. Another exemplary way to alert the host processor 123 of the detected anomaly may be to wait for the host processor 123 pulling/sampling the contents of the received message from the CAN controller 122 . Upon detection of an anomaly, the IDC 125 may be operable to add few “alerting” bits into the original message indicating the detection and type of anomaly. Then, when the host processor 123 processes the message transmitted from the CAN controller 122 , it is alerted of the attack and may take some remedial or protective actions.
  • the host processor 123 may be alerted whenever a change in the delta time at which messages having a specific ID are observed on the CAN bus 110 occurs.
  • the delta time at which certain messages are transmitted and/or received at some ECUs 120 may change over time as part of the normal operation of the vehicle 100 .
  • the corresponding message although initially transmitted every ten milliseconds, may then be transmitted every five milliseconds under certain circumstances but still as part of the normal operating mode of the vehicle 100 .
  • the IDC 125 may be informed directly by the host processor 123 of such a change or may update the expected delta time in the memory after having observed two or more consecutive messages with such new delta time. However, in order to avoid false alarms due to such delta time changes, the IDC 125 may generate and send an alarm signal only when repetitive anomalies are detected (e.g. for a certain number of consecutive messages; and/or for a certain number of messages during a pre-defined period of time; etc.). Conversely, the IDC 125 may generate and send the alarm signal whenever an anomaly is detected while the host processor 123 is configured to take remedial or protective actions only if it receives repetitive alarm signals (e.g. a certain number of consecutive alarm signals and/or a certain number of alarm signals received during a pre-defined period of time) from the IDC 125 .
  • repetitive alarm signals e.g. a certain number of consecutive alarm signals and/or a certain number of alarm signals received during a pre-defined period of time
  • software components of the present invention may, if desired, be implemented in ROM (read only memory) form.
  • the software components may, generally, be implemented in hardware, if desired, using conventional techniques.
  • the software components may be instantiated, for example: as a computer program product or on a tangible medium. In some cases, it may be possible to instantiate the software components as a signal interpretable by an appropriate computer, although such an instantiation may be excluded in certain embodiments of the present invention.

Abstract

In one embodiment, a method implemented on a node connected to a network bus includes: storing one or more message identifiers, the one or more identifiers comprising at least one message identifier identifying the node, the at least one message identifier being included in a message at a time when the message is sent by the node onto the network bus; monitoring network bus traffic, the network bus traffic comprising messages transmitted by the node and by other nodes connected to the network bus; and alerting a processor of the node if a message transmitted on the network bus by at least one of the other nodes is identified as having a message identifier corresponding to the at least one message identifier.

Description

  • The present application is a continuation of U.S. patent application Ser. No. 14/600,129, filed on 20 Jan. 2015.
    • TECHNICAL FIELD
  • The present disclosure generally relates to methods and apparatus to detect attacks on electronic control units of a vehicle.
    • BACKGROUND
  • Modern vehicles typically have a multiplicity of embedded systems called Electronic Control Units (ECUs) configured to control one or more of their component electrical systems or sub-systems. For example, ECUs may be used to control a vehicle's engine, transmission, brakes, suspension, etc. A vehicle may therefore be typically configured with dozens of such ECUs to control its operation. ECUs may typically communicate between themselves using wired buses.
  • Most modern vehicles are also now equipped with a variety of wireless interfaces which increase their exposure/vulnerability to remote attacks by hackers and/or random interference from other wireless communications. Typically, an attack on an ECU may be achieved using any of its data connections (physical or wireless) and may consist of executing malicious code to gain control of the ECU. The compromised ECU may then be used as an entry point for the attack or further attacks such as, for example, sending malicious or illicit messages to other (sensitive) ECUs.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The present invention will be understood and appreciated more fully from the following detailed description, taken in conjunction with the drawings in which:
  • FIG. 1A is a simplified pictorial illustration of an exemplary vehicle with an intrusion detection component, constructed and operative in accordance with an embodiment of the present invention;
  • FIG. 1B is a simplified pictorial illustration of an exemplary message transmitted over the communication network, constructed and operative in accordance with an embodiment of the present invention, and
  • FIGS. 2 and 3 are simplified flow chart diagrams of alternative methods for alerting a processor of an anomaly detection in accordance with embodiments of the present invention.
    •  DESCRIPTION OF EXAMPLE EMBODIMENTS Overview
  • In one embodiment, a method implemented on a node connected to a network bus includes: storing one or more message identifiers, the one or more identifiers comprising at least one message identifier identifying the node, the at least one message identifier being included in a message at a time when the message is sent by the node onto the network bus; monitoring network bus traffic, the network bus traffic comprising messages transmitted by the node and by other nodes connected to the network bus; and alerting a processor of the node if a message transmitted on the network bus by at least one of the other nodes is identified as having a message identifier corresponding to the at least one message identifier.
    • DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS
  • Reference is now made to FIG. 1A, which shows an exemplary vehicle with an intrusion detection component constructed and operative in accordance with an embodiment of the present invention. A vehicle 100 is shown in FIG. 1A and typically comprises at least one vehicle's communication bus 110 which is an internal communication network that interconnects a plurality of nodes 120 (hereinafter referred as Electronic Control Units (ECUs) 120) inside the vehicle. Examples of vehicle's communication buses typically include any type of Vehicle Area network such as, but not limited to, CAN (Controller Area Network) defined in ISO 11898-1:2003 and also described in greater detail in www.ti.com/lit/an/sloa101a/sloa101a.pdf, LIN (Local Interconnect Network) described in further detail in en.wikipedia.org/wiki/Local_Interconnect_Network. FlexRay described in further detail in en.wikipedia.org/wiki/FlexRay, etc. In the following description, the communication bus 110 will be referred as the CAN bus 110.
  • A plurality of ECUs 120 are coupled to the CAN bus 110. These ECUs 120 are typically Electronic Control Units (ECUs) configured to control one or more of their associated electrical systems or sub-systems. Non-limiting examples of such ECUs typically include, but are not limited to including: engine control module (ECM); powertrain control module (PCM); transmission control module (TCM); central control module (CCM); anti-lock braking system module (ABSM); central timing module (CTM); general electronic module (GEM); body control module (BCM); suspension control module (SCM); etc. Although described as separate modules, it will be apparent to those skilled in the art that one module may incorporate a plurality of the control modules listed hereinabove.
  • Each ECU 120 typically comprises at least: a network interface 121; a CAN controller 122; and a host processor 123. The host processor 123 is typically a CPU (central processing unit) or microprocessor operable to interpret the messages received from other components or sub-components of the vehicle (e.g. from other ECUs 120), and also to decide which messages to send out/transmit. Although not shown in FIG. 1A, the host processor 123 may be connected to actuators, sensors, switches, or any other appliances that the ECU 120 is configured to control.
  • The CAN controller 122, which may sometimes be integrated with the host processor 123, is generally operable to receive messages from the CAN bus 110 via the network interface 121 and pass the messages received from the host processor 123 to the network interface 121 for further distribution via the CAN bus 110. The CAN controller 122 typically comprises a memory 124 for storing bits serially received from the CAN bus 110 until an entire message is available. Once stored in memory 124, the message may be fetched by the host processor 123 for further processing. The memory 124 is also configured to storing a message received from the host processor 123 that are to be transmitted to other (sub-) components of the vehicle 100. The CAN controller 122 typically transmits the message bits serially onto the CAN bus 110.
  • As mentioned above, the ECU 120 also comprises a network interface 121 which is typically a CAN transceiver such as, but not limited to, a CAN transceiver defined by ISO 11898-2/3 Medium Access Unit standards. In one embodiment, the role of the network interface 121 may be to drive and to detect data to and from CAN bus 110. Network interface 121 converts the single-ended logic used by the CAN controller 122 to a differential signal transmitted over the CAN bus 110. Network interface 121 also determines a bus logic state from the differential signal or voltage, rejects common-mode noise, and outputs a single-ended logic signal to the CAN controller 122.
  • Each ECU 120 is operable to communicate with other ECUs 120 as necessary via the CAN bus 110. Some of the ECUs 120 form independent subsystems while others require exchanging data with other ECUs 120. Indeed, during normal operation of vehicle 100, an ECU 120 may need to control actuators or receive feedback from one or more sensors through the CAN bus 110. Communication between ECUs 120 is performed over the CAN bus 110 using any suitable protocol and messaging system, as will be appreciated by those skilled in the art.
  • Each message sent and/or transmitted over the CAN bus 110 typically has a pre-defined format comprising at least an identifier (ID) field and a data section (as shown in FIG. 1B), both of them including data produced by one sending ECU 120. The data section corresponds to the current information that needs to be exchanged between a sending ECU (e.g. a first ECU 120) and a receiving ECU (e.g. a second ECU 120). The ID field includes a message ID which may be eleven or twenty-nine bits long in CAN networks. The message ID typically indicates the priority of the message and is typically associated with a unique ECU 120. The message ID may therefore be used as an ID for identifying a particular ECU 120. In other words, the same message ID cannot be used by two different ECUs 120 on the same CAN bus.
  • During normal operation, a CAN controller 122 of a particular ECU 120 is typically operable to read every message (i.e. every single bit) that passes on the CAN bus 110. The CAN controller 122 typically determines whether or not a particular message has to be processed based on the message ID. For example, when the CAN controller 122 receives a message, the message ID of the message may be used to determine whether or not the message is relevant and/or interesting for the particular ECU 120. In such a situation, the CAN controller 122 alerts the host processor 123 that a message has arrived. The message is then copied in a memory (not shown in FIG. 1A) of the host processor 123 space and processed. Otherwise, the message is ignored, that is to say not processed and the CAN controller 122 continues to monitor other messages transiting onto the CAN bus 110. However, there are many ways attacks may be accomplished once access to the CAN bus 110 is gained and/or when an ECU 120 is compromised. For example, an attack may consist of impersonating a particular ECU 120 for sending false messages to another ECU 120. Another similar example may consist of sending these false messages at a higher rate than normal messages thereby saturating the CAN bus 110 and preventing the normal messages from being received by some ECUs 120. In both cases, such attacks may either alter the proper functioning of the vehicle 100 or have a harmful effect on the passengers and/or the vehicle 100.
  • In an exemplary embodiment of the present invention, the CAN controller 122 further comprises an intrusion detection component 125 which is able to detect such attacks. Typically, the intrusion detection component 125 (IDC) is operable to monitor the CAN bus 110 to detect anomalies appearing in different messages forming the CAN bus traffic. An IDC 125 may be incorporated into each CAN controller 122 of each ECU 120, thereby enabling each ECU 120 to individually analyze the messages on the CAN bus 110 and detect anomalies in a cheap and efficient manner at a hardware and/or firmware level. Whenever an IDC 125 of an ECU 120 detects an anomaly, the CAN controller 122 alerts the host processor 123 which then take remedial or protective actions. Additionally and/or alternatively, an interrupt signal may be generated by the IDC 125 and sent to the host processor 123 if the latter is able to handle such interrupts. As a result, different actions may be taken depending on the ECU 120 that has detected the anomaly. For example, a visual indication may be displayed on the vehicle's front panel thereby alerting the driver that something is going wrong. Another example may be to record the detected anomaly and store it in a non-volatile memory so that a mechanic may be notified at the time when the vehicle is being repaired or checked. further non-limiting example available for connected vehicles may be to send an alert to a cal center or a central server external to the vehicle 100 in order to receive assistance regarding the issue in a (near) real-time fashion or even at a later time after further analysis of the alert(s) by the central/call center.
  • Reference is now made to FIG. 2, which is a simplified flow chart diagram illustrating a method for alerting a processor of an ECU of an anomaly detection in accordance with an embodiment. In an example embodiment, the IDC 125 is configured to detect anomalies associated with messages sent by an ECU 120 using the message IDs. At step 200, the IDC 125 stores the message IDs used by the host processor 123 of the ECU 120 for sending messages to other ECUs 120 via the CAN bus 110. The message IDs may be stored in any suitable manner in a memory (not shown in FIG. 1A) of the IDC 125 or the CAN controller 122. The message IDs may be either provided to the IDC 125 directly by the host processor 123 of the ECU 120 or dynamically extracted by the IDC 125 at the time when messages are sent by the ECU 120. In the latter case, when a message is to be sent by the ECU 120 to another ECU 120 through the CAN bus 110, the host processor 123 of the ECU 120 typically prepares and transmits the message to its CAN controller 122. The message is received by the CAN controller 122 which stores it in its memory 124 prior to transmitting the bits serially onto the CAN bus 110 via the network interface 121. At the time when the message is being stored into the memory 124, the IDC 125 is configured to extract the message ID from the message, and to record the message ID. The IDC 125 is further configured to monitor the CAN bus traffic (step 210) and identify messages transiting onto the CAN bus 110 which have a message ID matching one of the recorded message IDs (step 220) and which were sent by other ECUs 120. When such a message is identified on the CAN bus 110 at step 230, this is an anomaly indicating that the CAN network of the vehicle 100 is being attacked. This typically means that false messages impersonating a particular ECU 120 are present onto the CAN bus 110. As a result, the IDC 125 detects this anomaly (step 230) and alerts and/or sends an interrupt signal to the host processor 123 at step 240.
  • Reference is now made to FIG. 3, which is a simplified flow chart diagram illustrating an alternate method for alerting a processor of an ECU of an anomaly detection in accordance with an embodiment. In another further example embodiment, the intrusion detection component 125 is configured to detect anomalies associated with messages sent by an ECU 120 using the message IDs and an expected delta time at which such messages are sent. In normal CAN network configurations, there is a particular delta time or time interval associated with messages sent and/or received by particular ECUs 120. For example, a message corresponding to the number of rounds per minute (RPM) of the vehicle's engine is sent at very regular intervals (e.g. every ten milliseconds) and is to be sent by the ECM and received by the TCM. Therefore, at step 300, the IDC 125 of an ECU 120 is operable to store one or more message IDs along with their expected delta times at which subsequent messages carrying the same type of information (i.e. having a same message ID) are expected to be observed on the CAN bus 110. As explained hereinabove in relation to the method of FIG. 2, the message IDs and the expected delta times may be stored in any suitable manner in a memory (not shown in FIG. 1A) of the IDC 125 or the CAN controller 122. In a situation where the messages correspond to messages sent and/or received by the ECU 120, the message IDs and the expected delta times may be either provided directly to the IDC 125 by the host processor 123 or dynamically extracted/calculated by the IDC 125 at the time when messages are sent or read by the ECU 120. Furthermore, the ECU 120 may also be operative to implement the method for messages that simply transit onto the CAN bus 110 i.e. messages that need not to be processed by the ECU 120. In the latter case, the message IDs and the expected delta times may be provided to the IDC 125 by the host processor 123 or from an external source. In any case, the IDC 125 of the ECU 120 is further operable to monitor the CAN bus traffic (step 310) for identifying messages having message IDs matching one of the recorded message IDs (step 320). Once such a message IDs identified at step 320, the IDC 125 is operable to determine a delta time at which the message is observed on the CAN bus 110 (step 330). To do so, the IDC 125 retrieves a present time, typically corresponding to the time at which the message was observed, and determines a present delta time. The present delta time corresponds to the time difference between the arrival of the present message and the arrival of the last message having a same specific message ID. Then, the present delta time is compared to the expected delta time stored in the memory. At step 340, the IDC 125 is therefore able to detect an anomaly if the present delta time does not match the expected delta time. In such a situation, this is an anomaly that may be indicating that the CAN network of the vehicle 100 is being attacked. This typically means that false messages are sent in order to saturate the CAN bus 110 or that counterfeit messages are being sent out onto the CAN bus 110. As a result, the IDC 125 alerts and/or sends an interrupt signal to the host processor 123 (step 350).
  • In an example implementation of the alternate anomaly detection method of FIG. 3, the IDC 125 typically includes a counter which is incremented at fixed intervals (e.g. every millisecond). During normal operation, the following information is stored in the memory and available to the IDC 125 for each message ID relevant to the ECU 120:
      • Cp: counter value at the time when the previous message was observed on the CAN bus 110, and
      • Δtref: reference delta time provided by the host processor 123.
  • When a message is observed on the CAN bus 110 and read by the CAN controller 122, the message ID is extracted and the IDC 125 uses the present value of the counter Cc to compute the present delta time Δtc (i.e. time interval at which two consecutive message with the same message ID are observed on the CAN bus 110) as follows:

  • Δt c =C c −C p
  • The present computed delta time (Δtc) is then compared to the reference delta time (Δtref). The reference delta time (Δtref) is typically provided as a range and the present computed delta time (Δtc) is compared to the upper and lower boundaries. These upper and lower boundaries typically correspond to maximum and minimum delta times or time intervals at which two consecutive messages having a same message ID can be observed onto the CAN bus 110 in normal operation. If the present computed delta time (Δtc) is more than the maximum reference delta time and/or is less than the minimum reference delta time, then an alarm signal is generated and sent to the host processor 123. Subsequently, whether or not an alarm signal has been generated, the Cp value is updated i.e. set to the current value Cc and stored in memory. Those skilled in the art will appreciate that the maximum and minimum reference delta times may not be available or known thereby preventing the host processor 123 for providing them to the IDC 125. In such a situation, default values may be used by the IDC 125 such as for example zero for the minimum reference delta time and positive infinity for the maximum reference delta time.
  • Additionally and/or alternatively, a previous computed delta time (Δtp) is stored in memory and is available to the IDC 125 for each message ID relevant to the ECU 120. The previous computed delta time (Δtp) may correspond, for example, but not limited to, to the time difference between the time at which the second last message was observed and the time at which the last message was observed. The present computed delta time (Δtc) is then compared the previous computed delta time (Δtp) which is therefore used as the expected delta time or as an additional expected delta time if the present computed delta time (Δtc) was first compared to the reference delta time (Δtref). If the present computed delta time (Δtc) is different from the previous computed delta time (Δtp) or if a difference (in absolute value) between the present computed delta time (Δtc) and the previous computed delta time (Δtp) exceeds a predefined and configurable threshold, an alarm signal is generated and sent to the host processor 123. Subsequently, the Cp value is updated i.e. set to the current value Cc and stored in memory. Also, the present computed delta time (Δtc) is stored in memory in place of the previous computed delta time (Δtp).
  • Those skilled in the art will appreciate that the method described in the previous paragraphs may be achieved using a single counter. However, in another example, a plurality of counters may be provided typically one counter per type of messages (message ID) that the IDC 125 is instructed to monitor. In the latter case, the present delta time is determined directly by using the counter present value. The counter present value used for the delta time determination is then reset to zero. The other method steps remain unchanged.
  • The alarm signal may be a direct and/or an interrupt signal generated and sent by the IDC 125 to the host processor 123. Additional information may further be associated with the direct and/or interrupt signals during the generating step to indicate to the host processor 123 that a type of detected anomaly or merely that an anomaly has been detected. Another exemplary way to alert the host processor 123 of the detected anomaly may be to wait for the host processor 123 pulling/sampling the contents of the received message from the CAN controller 122. Upon detection of an anomaly, the IDC 125 may be operable to add few “alerting” bits into the original message indicating the detection and type of anomaly. Then, when the host processor 123 processes the message transmitted from the CAN controller 122, it is alerted of the attack and may take some remedial or protective actions.
  • By implementing such a method, the host processor 123 may be alerted whenever a change in the delta time at which messages having a specific ID are observed on the CAN bus 110 occurs. However, those skilled in the art will appreciate that the delta time at which certain messages are transmitted and/or received at some ECUs 120 may change over time as part of the normal operation of the vehicle 100. Taking again the example of the number of rounds per minute of the vehicle's engine, the corresponding message, although initially transmitted every ten milliseconds, may then be transmitted every five milliseconds under certain circumstances but still as part of the normal operating mode of the vehicle 100. In this case, the IDC 125 may be informed directly by the host processor 123 of such a change or may update the expected delta time in the memory after having observed two or more consecutive messages with such new delta time. However, in order to avoid false alarms due to such delta time changes, the IDC 125 may generate and send an alarm signal only when repetitive anomalies are detected (e.g. for a certain number of consecutive messages; and/or for a certain number of messages during a pre-defined period of time; etc.). Conversely, the IDC 125 may generate and send the alarm signal whenever an anomaly is detected while the host processor 123 is configured to take remedial or protective actions only if it receives repetitive alarm signals (e.g. a certain number of consecutive alarm signals and/or a certain number of alarm signals received during a pre-defined period of time) from the IDC 125.
  • It is appreciated that software components of the present invention may, if desired, be implemented in ROM (read only memory) form. The software components may, generally, be implemented in hardware, if desired, using conventional techniques. It is further appreciated that the software components may be instantiated, for example: as a computer program product or on a tangible medium. In some cases, it may be possible to instantiate the software components as a signal interpretable by an appropriate computer, although such an instantiation may be excluded in certain embodiments of the present invention.
  • It is appreciated that various features of the invention which are, for clarity, described in the contexts of separate embodiments may also be provided in combination in a single embodiment. Conversely, various features of the invention which are, for brevity, described in the context of a single embodiment may also be provided separately or in any suitable subcombination.
  • It will be appreciated by persons skilled in the art that the present invention is not limited by what has been particularly shown and described hereinabove. Rather the scope of the invention is defined by the appended claims and equivalents thereof:

Claims (20)

1. method implemented on a node connected to a network bus, said method comprising:
storing one or more message identifiers, said one or more identifiers comprising at least one message identifier identifying said node, said at least one message identifier being included in a message at a time when said message is sent by said node onto said network bus;
monitoring network bus traffic, said network bus traffic comprising messages transmitted by said node and by other nodes connected to said network bus; and
alerting a processor of said node when a message transmitted on said network bus by at least one of said other nodes is identified as having a message identifier corresponding to said at least one message identifier.
2. The method of claim 1, wherein:
said stored one or more identifiers comprises at least one message identifier identifying at least one node connected to said network bus, said at least one message identifier being included in a message at a time when said message is sent by said at least one node onto said network bus;
said storing further comprises: storing an expected delta time along with said at least one message identifier identifying said at least one node, said expected delta time corresponding to a time difference associated with times at which two consecutive messages including said at least one message identifier are expected to be observed on said network bus;
said method further comprising: determining a present delta time for a present message of said network traffic having said stored at least one message identifier, said present delta time corresponding to a time difference associated with times at which said present message and a last message having said stored at least one message identifier are observed on said network bus; and
said alerting comprises alerting a processor of said node when said determined present delta time is different from said stored expected delta time.
3. The method of claim 2, wherein said stored expected delta time comprises a maximum delta time and a minimum delta time; and said alerting comprises alerting the processor of said node when said determined present delta time is more than said maximum delta time or is less than said minimum delta time.
4. The method of claim 2, wherein a previously determined delta time is used as said stored expected delta time.
5. (canceled)
6. The method of claim 2, wherein said stored expected delta time comprises a maximum delta time, a minimum delta time and a previously determined delta time; and said alerting comprises alerting the processor of said node when one or more of the following conditions is met:
said determined delta time is more than said maximum delta time;
said determined delta time is less than said minimum delta time;
a difference, in absolute value, between said determined present delta time and a previously determined delta time exceeds a predefined threshold.
7. The method of claim 2, wherein said determining comprises:
retrieving a first time value from a counter of said node, said first time value corresponding to a time at which said present message is observed on said network bus;
retrieving a second time value from a memory of said node, said second time value corresponding to a time at which said last message was observed on said network bus; and
determining a present delta time by computing a time difference between said first and second time values.
8. The method of claim 7, further comprising:
after said retrieving a second time value, storing said first time value in said memory in place of said second time value.
9. The method of claim 2, wherein said determining comprises:
providing one or more counters at said node, each counter being associated with a single message identifier;
retrieving a time value from a counter associated with said at least one message identifier, said time value corresponding to a time at which said present message is observed on said network bus; and
determining a present delta time by using said retrieved time value.
10. The method of claim 9, further comprising:
resetting said counter to zero after having determined said present delta time.
11. The method of claim 2, wherein said alerting further comprises:
generating an alarm signal when said determined delta time is different from said expected delta time; and
sending said generated alarm signal to said processor of said node.
12. The method of claim 11, wherein said alarm signal is generated and sent to said processor whenever said determined delta time is different from said expected delta time.
13. The method of claim 11, wherein said alarm signal is generated and sent to said processor when a certain number of determined delta times for a certain number of messages having said at least one message identifier are different from said expected delta time.
14. The method of claim 11, wherein said alarm signal is generated and sent to said processor when a certain number of determined delta times for messages having said at least one message identifier are different from said expected delta time during a predefined period of time.
15. The method of claim 11, wherein said alarm signal comprises an interrupt signal associated with additional information, said additional information indicating a type of detected anomaly.
16. The method of claim 11, wherein:
said generating comprises:
retrieving said present message; and
inserting additional bits in said retrieved present message, said additional bits indicating to said processor a type of detected anomaly; and
said sending comprises sending said retrieved present message including said inserted additional bits to said processor of said node.
17. A node connected to a network bus, said node comprising:
a network interface;
a processor; and
a controller;
wherein said controller further comprises an intrusion detection component operable to:
store one or more message identifiers, said one or more message identifiers comprising at least one message identifier identifying said node, said at least one message identifier being included in a message at a time when said message is sent by said node onto said network bus;
monitor network bus traffic, said network bus traffic comprising messages transmitted by said node and by other nodes connected to said network bus; and
alert said processor when a message transmitted on said network bus by at least one of said other nodes is identified as having a message identifier corresponding to said at least one message identifier.
18. The node of claim 17, wherein said intrusion detection component is further operable to extract said at least one message identifier from a message received from said processor of said node that is to be transmitted onto said network bus.
19. The node of claim 17, wherein said stored one or more identifiers comprises at least one message identifier identifying at least one node connected to said network bus, said at least one message identifier being included in a message at a time when said message is sent by said at least one node onto said network bus; and
said intrusion detection component being further operable to:
store an expected delta time along with said at least one message identifier identifying said at least one node, said expected delta time corresponding to a time difference associated with times at which two consecutive messages including said at least one message identifier are expected to be observed on said network bus;
determine a present delta time for a present message of said network traffic having said stored at least one message identifier, said present delta time corresponding to a time difference associated with times at which said present message and a last message having said stored at least one message identifier are observed on said network bus; and
alert said processor when said determined present delta time is different from said stored expected delta time.
20. The node of claim 19, wherein said expected delta time is provided by said processor.
US15/168,057 2015-01-20 2016-05-29 Intrusion detection mechanism Abandoned US20160308891A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US15/168,057 US20160308891A1 (en) 2015-01-20 2016-05-29 Intrusion detection mechanism

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US14/600,129 US9380070B1 (en) 2015-01-20 2015-01-20 Intrusion detection mechanism
US15/168,057 US20160308891A1 (en) 2015-01-20 2016-05-29 Intrusion detection mechanism

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US14/600,129 Continuation US9380070B1 (en) 2015-01-20 2015-01-20 Intrusion detection mechanism

Publications (1)

Publication Number Publication Date
US20160308891A1 true US20160308891A1 (en) 2016-10-20

Family

ID=56136535

Family Applications (2)

Application Number Title Priority Date Filing Date
US14/600,129 Active US9380070B1 (en) 2015-01-20 2015-01-20 Intrusion detection mechanism
US15/168,057 Abandoned US20160308891A1 (en) 2015-01-20 2016-05-29 Intrusion detection mechanism

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US14/600,129 Active US9380070B1 (en) 2015-01-20 2015-01-20 Intrusion detection mechanism

Country Status (1)

Country Link
US (2) US9380070B1 (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107508831A (en) * 2017-09-21 2017-12-22 华东师范大学 A kind of intrusion detection method based on bus
IT201600111869A1 (en) * 2016-11-07 2018-05-07 Magneti Marelli Spa "Procedure for monitoring data traffic in a motor vehicle or motor vehicle network"
CN109005147A (en) * 2017-06-07 2018-12-14 罗伯特·博世有限公司 The method for protecting vehicle network for avoiding the data being manipulated from transmitting
CN109660506A (en) * 2017-10-11 2019-04-19 大众汽车有限公司 Message sequence and identification are transmitted to the method and apparatus of the attack of message sequence
US20190342115A1 (en) * 2017-01-19 2019-11-07 Conti Temic Microelectronic Gmbh Method for operating a monitoring device for a data network of a motor vehicle and monitoring device, control unit and motor vehicle
CN110636048A (en) * 2019-08-27 2019-12-31 华东师范大学 Vehicle-mounted intrusion detection method and system based on ECU signal characteristic identifier
US20200259846A1 (en) * 2017-10-30 2020-08-13 Nippon Telegraph And Telephone Corporation Attack communication detection device, attack communication detection method, and program
WO2021030123A1 (en) * 2019-08-12 2021-02-18 Voyomotive, Llc A method and apparatus for controller area network bus intrusion detection and neutralization
CN112673344A (en) * 2020-07-30 2021-04-16 华为技术有限公司 Method, device and system for upgrading software
WO2021083112A1 (en) * 2019-10-31 2021-05-06 维沃移动通信有限公司 Information sharing method and electronic device
WO2021099186A3 (en) * 2019-11-22 2021-07-22 Volkswagen Aktiengesellschaft Method for monitoring communication on a communication bus, electronic device for connection to a communication bus, and central monitoring device for connection to a communication bus
US20210349993A1 (en) * 2018-10-11 2021-11-11 Autovisor Pte. Ltd System and method for detecting unauthorized connected devices in a vehicle
US11190533B2 (en) * 2016-07-05 2021-11-30 Panasonic Intellectual Property Corporation Of America Anomaly detection electronic control unit, onboard network system, and anomaly detection method
US11245549B2 (en) * 2015-07-17 2022-02-08 Robert Bosch Gmbh Bus system, subscriber station therefor, and method for configuring a static bus system for a dynamic communication

Families Citing this family (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9686169B2 (en) 2012-07-02 2017-06-20 Ixia Real-time highly accurate network latency measurement with low generated traffic or data requirements
RO131470A2 (en) 2015-04-10 2016-10-28 Ixia, A California Corporation Methods, systems and computer-readable media for one-way link delay measurement
US9736804B2 (en) 2015-04-16 2017-08-15 Ixia Methods, systems, and computer readable media for synchronizing timing among network interface cards (NICS) in a network equipment test device
US10019333B2 (en) 2015-04-16 2018-07-10 Keysight Technologies Singapore (Holdings) Pte. Ltd. Methods, systems, and computer readable media for emulating network devices with different clocks
RO131471A2 (en) 2015-04-21 2016-10-28 Ixia, A California Corporation Methods, systems and computer-readable media for testing quality of recovered clock
US10298612B2 (en) 2015-06-29 2019-05-21 Argus Cyber Security Ltd. System and method for time based anomaly detection in an in-vehicle communication network
US10798114B2 (en) 2015-06-29 2020-10-06 Argus Cyber Security Ltd. System and method for consistency based anomaly detection in an in-vehicle communication network
US11165851B2 (en) 2015-06-29 2021-11-02 Argus Cyber Security Ltd. System and method for providing security to a communication network
US9813226B2 (en) 2015-08-05 2017-11-07 Ixia Modeling a clock
US9800595B2 (en) * 2015-09-21 2017-10-24 Ixia Methods, systems, and computer readable media for detecting physical link intrusions
US10361934B2 (en) * 2015-09-28 2019-07-23 Nxp B.V. Controller area network (CAN) device and method for controlling CAN traffic
KR101714520B1 (en) * 2015-10-30 2017-03-09 현대자동차주식회사 In-Vehicle Network Attack Detection Method and Apparatus
US10142358B1 (en) * 2016-02-29 2018-11-27 Symantec Corporation System and method for identifying an invalid packet on a controller area network (CAN) bus
US10193903B1 (en) * 2016-04-29 2019-01-29 Symantec Corporation Systems and methods for detecting suspicious microcontroller messages
US10609054B2 (en) 2017-04-07 2020-03-31 Keysight Technologies Singapore (Sales) Pte. Ltd. Methods, systems, and computer readable media for monitoring, adjusting, and utilizing latency associated with accessing distributed computing resources
US10425321B2 (en) 2017-04-25 2019-09-24 Keysight Technologies Singapore (Sales) Pte. Ltd. Methods, systems, and computer readable media for testing time sensitive network (TSN) elements
US10666671B2 (en) 2017-04-26 2020-05-26 Cisco Technology, Inc. Data security inspection mechanism for serial networks
EP4155998B1 (en) * 2017-08-18 2023-10-11 Nippon Telegraph And Telephone Corporation Intrusion prevention device, intrusion prevention method, and program
US10484425B2 (en) 2017-09-28 2019-11-19 The Mitre Corporation Controller area network frame override
CN110771099B (en) 2018-05-23 2022-08-26 松下电器(美国)知识产权公司 Abnormality detection device, abnormality detection method, and recording medium
US10965392B2 (en) 2019-01-25 2021-03-30 Keysight Technologies, Inc. Active network tap supporting time sensitive network (TSN) standards
US11563768B2 (en) 2019-01-31 2023-01-24 Keysight Technologies, Inc. Methods, systems, and computer readable media for detecting and mitigating effects of timing attacks in time sensitive networks
IT201900007071A1 (en) * 2019-05-21 2020-11-21 Turrin Elettr S R L SYSTEM FOR MONITORING THE FUNCTIONALITIES OF A VEHICLE
EP3772841B1 (en) 2019-08-06 2023-06-14 Nxp B.V. A security module for a can node
EP3772839B1 (en) * 2019-08-06 2023-01-04 Nxp B.V. Security module for a serial communications device
EP3772840B1 (en) 2019-08-06 2023-03-15 Nxp B.V. A security module for a can node
JP7409247B2 (en) * 2020-07-14 2024-01-09 株式会社デンソー Unauthorized intrusion prevention device, unauthorized intrusion prevention method, and unauthorized intrusion prevention program
DE102020211719A1 (en) * 2020-09-18 2022-03-24 Robert Bosch Gesellschaft mit beschränkter Haftung Method and apparatus for processing data associated with a message received over a communication system
US11425005B2 (en) 2020-11-10 2022-08-23 Fleet Defender, Inc. Controller area network anomaly detection

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020073243A1 (en) * 2000-12-09 2002-06-13 International Business Machines Corporation Intercommunication preprocessor
US20020161820A1 (en) * 2001-02-12 2002-10-31 Pellegrino Michael J. Consistent application programming interface for communicating with disparate vehicle network classes
US20040027076A1 (en) * 2000-12-18 2004-02-12 Hiroshi Shimizu Controller for electric automobile
US20060031582A1 (en) * 2002-11-12 2006-02-09 Pugel Michael A Conversion of alert messages for dissemination in a program distribution network
US20060028323A1 (en) * 2004-07-19 2006-02-09 Honda Motor Co., Ltd. Method and system for broadcasting audio and visual display messages to a vehicle
US20070030844A1 (en) * 2005-08-04 2007-02-08 Denso Corporation Vehicle communicaton method and system, function identifying system, and electronic control unit
US20090164551A1 (en) * 2007-12-21 2009-06-25 General Motors Corporation Sms and packet data performance monitoring
US7983820B2 (en) * 2003-07-02 2011-07-19 Caterpillar Inc. Systems and methods for providing proxy control functions in a work machine
US20130104231A1 (en) * 2011-10-25 2013-04-25 GM Global Technology Operations LLC Cyber security in an automotive network
US20140324278A1 (en) * 2013-03-23 2014-10-30 Dexen Industries, Inc. Networked monitoring system for automobiles
US20150020152A1 (en) * 2012-03-29 2015-01-15 Arilou Information Security Technologies Ltd. Security system and method for protecting a vehicle electronic system
US20150113638A1 (en) * 2013-10-23 2015-04-23 Christopher Valasek Electronic system for detecting and preventing compromise of vehicle electrical and control systems

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2351588B (en) 1999-07-01 2003-09-03 Ibm Security for network-connected vehicles and other network-connected processing environments
US9776597B2 (en) 2006-05-16 2017-10-03 Lear Corporation Vehicle with electronic system intrusion detection
US8126611B2 (en) 2007-03-16 2012-02-28 Autonetworks Technologies, Ltd. On-vehicle communication system

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020073243A1 (en) * 2000-12-09 2002-06-13 International Business Machines Corporation Intercommunication preprocessor
US20040027076A1 (en) * 2000-12-18 2004-02-12 Hiroshi Shimizu Controller for electric automobile
US20020161820A1 (en) * 2001-02-12 2002-10-31 Pellegrino Michael J. Consistent application programming interface for communicating with disparate vehicle network classes
US20060031582A1 (en) * 2002-11-12 2006-02-09 Pugel Michael A Conversion of alert messages for dissemination in a program distribution network
US7983820B2 (en) * 2003-07-02 2011-07-19 Caterpillar Inc. Systems and methods for providing proxy control functions in a work machine
US20060028323A1 (en) * 2004-07-19 2006-02-09 Honda Motor Co., Ltd. Method and system for broadcasting audio and visual display messages to a vehicle
US20070030844A1 (en) * 2005-08-04 2007-02-08 Denso Corporation Vehicle communicaton method and system, function identifying system, and electronic control unit
US20090164551A1 (en) * 2007-12-21 2009-06-25 General Motors Corporation Sms and packet data performance monitoring
US20130104231A1 (en) * 2011-10-25 2013-04-25 GM Global Technology Operations LLC Cyber security in an automotive network
US20150020152A1 (en) * 2012-03-29 2015-01-15 Arilou Information Security Technologies Ltd. Security system and method for protecting a vehicle electronic system
US20140324278A1 (en) * 2013-03-23 2014-10-30 Dexen Industries, Inc. Networked monitoring system for automobiles
US20150113638A1 (en) * 2013-10-23 2015-04-23 Christopher Valasek Electronic system for detecting and preventing compromise of vehicle electrical and control systems

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11245549B2 (en) * 2015-07-17 2022-02-08 Robert Bosch Gmbh Bus system, subscriber station therefor, and method for configuring a static bus system for a dynamic communication
US11190533B2 (en) * 2016-07-05 2021-11-30 Panasonic Intellectual Property Corporation Of America Anomaly detection electronic control unit, onboard network system, and anomaly detection method
IT201600111869A1 (en) * 2016-11-07 2018-05-07 Magneti Marelli Spa "Procedure for monitoring data traffic in a motor vehicle or motor vehicle network"
EP3319275A1 (en) * 2016-11-07 2018-05-09 Magneti Marelli S.p.A. Method for monitoring data traffic in a motor-vehicle network
US20180131712A1 (en) * 2016-11-07 2018-05-10 MAGNETI MARELLI S.p.A. Method for monitoring data traffic in a motor-vehicle network
US20190342115A1 (en) * 2017-01-19 2019-11-07 Conti Temic Microelectronic Gmbh Method for operating a monitoring device for a data network of a motor vehicle and monitoring device, control unit and motor vehicle
CN109005147A (en) * 2017-06-07 2018-12-14 罗伯特·博世有限公司 The method for protecting vehicle network for avoiding the data being manipulated from transmitting
CN107508831A (en) * 2017-09-21 2017-12-22 华东师范大学 A kind of intrusion detection method based on bus
CN109660506A (en) * 2017-10-11 2019-04-19 大众汽车有限公司 Message sequence and identification are transmitted to the method and apparatus of the attack of message sequence
US20200259846A1 (en) * 2017-10-30 2020-08-13 Nippon Telegraph And Telephone Corporation Attack communication detection device, attack communication detection method, and program
US11588827B2 (en) * 2017-10-30 2023-02-21 Nippon Telegraph And Telephone Corporation Attack communication detection device, attack communication detection method, and program
US20210349993A1 (en) * 2018-10-11 2021-11-11 Autovisor Pte. Ltd System and method for detecting unauthorized connected devices in a vehicle
WO2021030123A1 (en) * 2019-08-12 2021-02-18 Voyomotive, Llc A method and apparatus for controller area network bus intrusion detection and neutralization
US20220303287A1 (en) * 2019-08-12 2022-09-22 Voyomotive, Llc Method and apparatus for controller area network bus intrusion detection and neutralization
US11641367B2 (en) * 2019-08-12 2023-05-02 Voyomotive, Llc Method and apparatus for controller area network bus intrusion detection and neutralization
CN110636048A (en) * 2019-08-27 2019-12-31 华东师范大学 Vehicle-mounted intrusion detection method and system based on ECU signal characteristic identifier
WO2021083112A1 (en) * 2019-10-31 2021-05-06 维沃移动通信有限公司 Information sharing method and electronic device
WO2021099186A3 (en) * 2019-11-22 2021-07-22 Volkswagen Aktiengesellschaft Method for monitoring communication on a communication bus, electronic device for connection to a communication bus, and central monitoring device for connection to a communication bus
CN112673344A (en) * 2020-07-30 2021-04-16 华为技术有限公司 Method, device and system for upgrading software

Also Published As

Publication number Publication date
US20160212162A1 (en) 2016-07-21
US9380070B1 (en) 2016-06-28

Similar Documents

Publication Publication Date Title
US9380070B1 (en) Intrusion detection mechanism
US11063970B2 (en) Attack detection method, attack detection device and bus system for a motor vehicle
US11934520B2 (en) Detecting data anomalies on a data interface using machine learning
US11356475B2 (en) Frame transmission prevention apparatus, frame transmission prevention method, and in-vehicle network system
JP7173039B2 (en) Information processing device, mobile device, method, and program
CN111147437B (en) Attributing bus disconnect attacks based on erroneous frames
EP3772840B1 (en) A security module for a can node
KR101972457B1 (en) Method and System for detecting hacking attack based on the CAN protocol
KR101966345B1 (en) Method and System for detecting bypass hacking attacks based on the CAN protocol
JP2019174426A (en) Abnormality detection device, abnormality detection method, and program
KR20210075458A (en) Control method, device and program of intrusion detection system based on can id filtering
US11394726B2 (en) Method and apparatus for transmitting a message sequence over a data bus and method and apparatus for detecting an attack on a message sequence thus transmitted
US11621967B2 (en) Electronic control unit, electronic control system, and recording medium
JP2016143963A (en) On-vehicle communication system
JP2021005821A (en) Abnormality detection device
US10666671B2 (en) Data security inspection mechanism for serial networks
US20110007897A1 (en) Communication node and network system
KR102204655B1 (en) A mitigation method against message flooding attacks for secure controller area network by predicting attack message retransfer time
KR102204656B1 (en) A mitigation system against message flooding attacks for secure controller area network by predicting transfer delay of normal can message
TWI605969B (en) Method for information security and surveillance of vehicle network system
US20230216873A1 (en) Detection system, detection method, and recording medium
US20230013980A1 (en) Frame invalidation in bus system via receive line
EP4213448A1 (en) Controller area network module and method for the module
KR20230052484A (en) Vehicle and controlling method of vehicle.
JP2020096322A (en) Illegal signal processing device

Legal Events

Date Code Title Description
STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION