	US 12,190,653 B2
	Automated detection of vehicle data manipulation and mechanical failure
Yu Seung Kim, San Jose, CA (US); Chun-Yu Chen, Ann Arbor, MI (US); and Kang Shin, Ann Arbor, MI (US)
Assigned to Ford Global Technologies, LLC, Dearborn, MI (US); and Regents of the University of Michigan, Ann Arbor, MI (US)
Filed by Ford Global Technologies, LLC, Dearborn, MI (US)
Filed on Oct. 6, 2020, as Appl. No. 17/064,417.
Prior Publication US 2022/0108569 A1, Apr. 7, 2022
Int. Cl. G07C 5/00 (2006.01); B60R 16/023 (2006.01); B60W 50/02 (2012.01); G07C 5/08 (2006.01)

CPC G07C 5/0808 (2013.01) [B60R 16/0231 (2013.01); B60W 50/0205 (2013.01); B60W 2510/0638 (2013.01); B60W 2520/10 (2013.01); B60W 2520/12 (2013.01); B60W 2520/14 (2013.01); B60W 2540/10 (2013.01); B60W 2540/12 (2013.01); B60W 2540/16 (2013.01); B60W 2540/18 (2013.01)]

16 Claims

1. A system for detecting and diagnosing vehicle anomalies comprising:

a plurality of sensors measuring vehicular data of a vehicle;

one or more processors;

a system memory, the system memory storing instructions to cause the one or more processors to:

receive a plurality of signals from the plurality of sensors via a controller area network (CAN) bus of the vehicle, each signal of the plurality of signals containing the vehicular data of the vehicle;

during a training phase:

train a machine learning model using the vehicular data obtained via the CAN bus of the vehicle during normal functioning of the vehicle;

generate a normal behavior model based on the trained machine learning model;

during a diagnostic phase:

group the plurality of signals into a plurality of detection sets, wherein each signal of the plurality of signals is included in at least one detection set of the plurality of detection sets, wherein at least one signal is present in at least two detection sets;

divide the plurality of detection sets into a first detection group including a first detection set and a second detection set among the plurality of detection sets and a second detection group including remaining detection sets in the plurality of detection sets;

continuously monitor the first detection group;

detect an anomaly within at least one detection set of the first detection group based on a comparison of signals in the first detection group to the normal behavior model;

cross-reference the at least one detection set of the first detection group with at least one other detection set of the second detection group to identify a source of the anomaly by:

identifying a signal type of the anomaly and corresponding to signals of the plurality of signals included in the at least one detection set;

selecting, among the second detection group, the at least one other detection set, wherein each detection set of the at least one other detection set includes one or more signals of the plurality of signals having the signal type; and

identifying, based on pass or fail cross-reference results of the at least one other detection set, that the anomaly is caused by a component failure when the one or more signals of the plurality of signals having the signal type of the anomaly in the at least one other detection set also exhibit the anomaly;

identifying, based on the pass or fail cross-reference results of the at least one other detection set, that the anomaly is caused by a targeted malicious data manipulation attack when the one or more signals of the plurality of signals having the signal type of the anomaly in the at least one other detection set do not exhibit the anomaly; and

output the source of anomaly.