US 12,244,615 B2
Method for protection from cyber attacks to a vehicle based upon time analysis, and corresponding device
Christian Rosadini, Corbetta (IT); Simona Chiarelli, Corbetta (IT); Walter Nesci, Corbetta (IT); Sergio Saponara, Pisa (IT); Alessio Gagliardi, Catanzaro (IT); and Pierpaolo Dini, SanFrediano a Settimo Cascina Pisa (IT)
Assigned to Marelli Europe S.p.A., Corbetta (IT)
Filed by Marelli Europe S.p.A., Corbetta (IT)
Filed on Sep. 2, 2022, as Appl. No. 17/929,370.
Claims priority of application No. 102021000022919 (IT), filed on Sep. 6, 2021.
Prior Publication US 2023/0080521 A1, Mar. 16, 2023
Int. Cl. H04L 9/40 (2022.01)
CPC H04L 63/1416 (2013.01) 9 Claims
OG exemplary drawing
 
1. A method for protection from cyber attacks in a communication network, in particular a CAN (Controller Area Network), of a vehicle, wherein the vehicle includes a communication bus, in particular a CAN-bus, and a plurality of nodes associated to said communication bus in a signal-exchange relationship and associated at least in part to control units for controlling functions of the vehicle,
wherein the nodes exchange messages passing between nodes of the plurality of nodes, and
the messages are identified by respective message identifiers,
said method including, at a control node associated to said communication bus, the steps of:
selecting, from among the messages exchanged between the nodes, periodic messages having a transmission periodicity,
grouping said periodic messages into respective groups according to the respective period, and
performing a procedure of analysis of messages of the nodes that exchange said received periodic messages, which comprises, for each group of transmission periodicity:
obtaining times of arrival at the respective nodes of a set of periodic messages that have the same message identifier,
computing as a function of said arrival times average-offset values over successive subsets, of a given number of messages, of said set of received messages,
accumulating said average-offset values for each identifier with respect to each successive subset to obtain accumulated-offset values for each successive subset and a respective identifier,
identifying linear parameters by computing a regression over said accumulated-offset values for each successive subset and respective identifier, said computation comprising computing an angular coefficient, or slope, of the regression, and an intercept, or identification error,
computing, on the basis of average-offset values obtained at the step of computing as a function of said arrival times average-offset values over successive subsets, a correlation coefficient (p) of the average offset of pairs of messages identified as coming from one and the same node,
performing a first check to determine whether the correlation coefficient is higher than a first given threshold,
performing a second check to determine whether the angular coefficient between two consecutive messages with the same identifier is higher than a second given threshold,
performing a third check to determine whether the intercept between two consecutive messages is higher than a third given threshold, and
supplying the results of said first check, said second check, and said third check to a message-classification operation, configured to supply a confirmation of classification of the messages according to the transmitting node and message identifier or an indication of classification error as a function of said results.