CPC G06F 11/0739 (2013.01) [G06F 11/0751 (2013.01); G06F 11/3013 (2013.01); G06F 11/3409 (2013.01); G06F 11/3452 (2013.01); G06N 3/044 (2023.01); G06N 20/20 (2019.01); H04L 12/40 (2013.01); H04L 63/1425 (2013.01); G06F 21/554 (2013.01); H04L 2012/40215 (2013.01); H04L 2012/40273 (2013.01)] | 18 Claims |
1. A system for generating an Anomaly Detection Engine (ADE) for Controller Area Network (CAN) messages, the system comprising a processing unit configured to:
obtain a training set including a plurality of CAN messages associated with respective one or more vehicles, each CAN message having properties including (a) a CAN message type, (b) a size, (c) a payload, and (d) a corresponding timestamp;
learn attributes for each CAN message type, based on at least one of the properties of a subset of the plurality of CAN messages having the respective CAN message type, wherein a given attribute of the attributes is based on an inter arrival time of the CAN messages of the subset and on a given statistical pattern is: (a) a synchronicity attribute upon the inter arrival time being derived from a stationary distribution, (b) an a-synchronicity attribute upon the inter arrival time not being derived from a non-stationary distribution, or (c) a hybridity attribute upon the inter arrival time of a second subset of the plurality of the CAN messages of the subset, not including at least one of the plurality of the CAN messages of the subset, being derived from a stationary distribution;
associate each CAN message type with one or more respective selected pre-defined model types of a plurality of candidate pre-defined model types, based on the learned attributes for the respective CAN message type;
train, for each CAN message type, one or more models of the respective one or more selected pre-defined model types, based on the corresponding subset, wherein each of the one or more models is usable for classifying a given CAN message of the respective CAN message type as anomalous or non-anomalous; and
generate the ADE, wherein the ADE is usable for classifying an unclassified CAN message of a given CAN message type as anomalous or non-anomalous based on results of execution of the one or more models of the respective CAN message type on the unclassified CAN message.
|