	US 11,928,006 B2
	System and method for labeling bits of controller area network (CAN) messages
Yehiel Stein, Ramat Hasharon (IL); Yossi Vardi, Tel Aviv (IL); and Nadav George Costa, Gedera (IL)
Assigned to SAFERIDE TECHNOLOGIES LTD., Tel Aviv-Jaffa (IL)
Appl. No. 17/436,134
Filed by SAFERIDE TECHNOLOGIES LTD., Tel Aviv-Jaffa (IL)
PCT Filed Feb. 26, 2020, PCT No. PCT/IL2020/050213 § 371(c)(1), (2) Date Sep. 3, 2021, PCT Pub. No. WO2020/178811, PCT Pub. Date Sep. 10, 2020.
Claims priority of provisional application 62/820,886, filed on Mar. 20, 2019.
Claims priority of provisional application 62/817,648, filed on Mar. 13, 2019.
Claims priority of provisional application 62/813,188, filed on Mar. 4, 2019.
Prior Publication US 2022/0164248 A1, May 26, 2022
Int. Cl. G06F 11/07 (2006.01); G06N 20/20 (2019.01); G06F 11/30 (2006.01); G06F 11/34 (2006.01); H04L 12/40 (2006.01); G06N 3/044 (2023.01); H04L 9/40 (2022.01); G06F 21/55 (2013.01)

CPC G06F 11/0739 (2013.01) [G06F 11/0751 (2013.01); G06F 11/3013 (2013.01); G06F 11/3409 (2013.01); G06F 11/3452 (2013.01); G06N 3/044 (2023.01); G06N 20/20 (2019.01); H04L 12/40 (2013.01); H04L 63/1425 (2013.01); G06F 21/554 (2013.01); H04L 2012/40215 (2013.01); H04L 2012/40273 (2013.01)]

18 Claims

1. A system for generating an Anomaly Detection Engine (ADE) for Controller Area Network (CAN) messages, the system comprising a processing unit configured to:

obtain a training set including a plurality of CAN messages associated with respective one or more vehicles, each CAN message having properties including (a) a CAN message type, (b) a size, (c) a payload, and (d) a corresponding timestamp;

learn attributes for each CAN message type, based on at least one of the properties of a subset of the plurality of CAN messages having the respective CAN message type, wherein a given attribute of the attributes is based on an inter arrival time of the CAN messages of the subset and on a given statistical pattern is: (a) a synchronicity attribute upon the inter arrival time being derived from a stationary distribution, (b) an a-synchronicity attribute upon the inter arrival time not being derived from a non-stationary distribution, or (c) a hybridity attribute upon the inter arrival time of a second subset of the plurality of the CAN messages of the subset, not including at least one of the plurality of the CAN messages of the subset, being derived from a stationary distribution;

associate each CAN message type with one or more respective selected pre-defined model types of a plurality of candidate pre-defined model types, based on the learned attributes for the respective CAN message type;

train, for each CAN message type, one or more models of the respective one or more selected pre-defined model types, based on the corresponding subset, wherein each of the one or more models is usable for classifying a given CAN message of the respective CAN message type as anomalous or non-anomalous; and

generate the ADE, wherein the ADE is usable for classifying an unclassified CAN message of a given CAN message type as anomalous or non-anomalous based on results of execution of the one or more models of the respective CAN message type on the unclassified CAN message.